correct

Signed-off-by: zhzhuang-zju <m17799853869@163.com>

.github/workflows/ci-image-scanning-on-pull-request.yaml

@@ -0,0 +1,76 @@
+name: image-scanning
+on:
+  pull_request:
+  push:
+jobs:
+  use-trivy-to-scan-image:
+    name: image scannning
+    # prevent job running from forked repository
+    # if: ${{ github.repository == 'karmada-io/karmada' }}
+    runs-on: ubuntu-22.04
+    steps:
+      - name: checkout code
+        uses: actions/checkout@v3
+      - name: install Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.20.11
+      - name: Image scan
+        run: |
+          hack/scan-image-vuln.sh -f table
+      - id: Collect_vulnerability_data
+        run: |
+          vulns_on_pr=$(hack/scan-image-vuln.sh -s -f json)
+          echo "pkgName_arr=($(echo "${vulns_on_pr}" | grep PkgName | awk '{print $2}' | tr ',\n' '\0' | xargs -0))" >> "$GITHUB_OUTPUT"
+          echo "cve_arr=($(echo "${vulns_on_pr}" | grep VulnerabilityID | awk '{print $2}' | tr ',\n' '\0' | xargs -0))" >> "$GITHUB_OUTPUT"
+          echo "fixedVersion_arr=($(echo "${vulns_on_pr}" | grep FixedVersion | awk '{print $2}' | tr ',\n' '\0' | xargs -0))" >> "$GITHUB_OUTPUT"
+      - name: chekcout to head code
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - id: Collect_head_branch_vulnerability_data
+        run: |
+          vulns_on_head=$(hack/scan-image-vuln.sh -f json)
+          echo "pkgName_head_arr=($(echo "${vulns_on_head}" | grep PkgName | awk '{print $2}' | tr ',\n' '\0' | xargs -0))" >> "$GITHUB_OUTPUT"
+          echo "cve_head_arr=($(echo "${vulns_on_head}" | grep VulnerabilityID | awk '{print $2}' | tr ',\n' '\0' | xargs -0))" >> "$GITHUB_OUTPUT"
+      - name: Determine if there are any new vulnerabilities
+        run: |
+          pkgName_arr=${{steps.Collect_vulnerability_data.outputs.pkgName_arr}}
+          cve_arr=${{steps.Collect_vulnerability_data.outputs.cve_arr}}
+          fixedVersion_arr=${{steps.Collect_vulnerability_data.outputs.fixedVersion_arr}}
+          declare -A prVulnMap
+          for ((i=0; i<${#cve_arr[@]}; i++));
+          do 
+            prVulnMap["Library:${pkgName_arr[$i]} Vulnerability:${cve_arr[$i]}"]="FixedVersion:${fixedVersion_arr[$i]}"
+          done  
+          
+          pkgName_head_arr=${{steps.Collect_head_branch_vulnerability_data.outputs.pkgName_head_arr}}
+          cve_head_arr=${{steps.Collect_head_branch_vulnerability_data.outputs.cve_head_arr}}
+          declare -A headVulnMap
+          for ((i=0; i<${#cve_head_arr[@]}; i++));
+          do 
+            headVulnMap["Library:${pkgName_head_arr[$i]} Vulnerability:${cve_head_arr[$i]}"]=" "
+          done  
+          
+          echo "=============fixed vuln============="
+          for key in "${!headVulnMap[@]}";
+          do 
+            if [[ ! -v prVulnMap[$key] ]]; then
+              echo "${key} has been fixed in this pr"
+            fi
+          done
+          
+          echo "=============warn: add vuln============="
+          for key in "${!prVulnMap[@]}";
+          do 
+            if [[ ! -v headVulnMap[$key] ]]; then
+              echo "This PR introduces a security vulnerability ${key}, which can be resolved by bumping to ${prVulnMap[${key}]}."
+            fi
+          done
+
+          
+          
+          
+          
+          
+          

go.mod

@@ -165,7 +165,7 @@ require (
 	go.uber.org/atomic v1.10.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.25.0 // indirect
-	golang.org/x/crypto v0.16.0 // indirect
+	golang.org/x/crypto v0.17.0 // indirect
 	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect
 	golang.org/x/mod v0.14.0 // indirect
 	golang.org/x/oauth2 v0.10.0 // indirect

go.sum

@@ -897,8 +897,8 @@ golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20211215165025-cf75a172585e/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
 golang.org/x/crypto v0.0.0-20220112180741-5e0467b6c7ce/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY=
-golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
+golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=

hack/scan-image-vuln.sh

@@ -0,0 +1,117 @@
+#!/usr/bin/env bash
+# Copyright 2024 The Karmada Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# This script starts a images scanning with trivy
+# This script depends on utils in: ${REPO_ROOT}/hack/util.sh
+# 1. used to locally scan Karmada component images vulnerabilities with trivy
+# 2. Used to scan specified image with trivy
+
+function usage() {
+    echo "Usage:"
+    echo "    hack/scan-image-vuln.sh [-i imageRef] [-r registry] [-v version] [-s skip-image-generation] [-f format][-h]"
+    echo "Examples:"
+    echo "    # starts a images scanning with specific image provided"
+    echo "    hack/scan-image-vuln.sh -i docker.io/karmada/karmada-controller-manager:v1.8.0"
+    echo "    # scan Karmada component images with trivy and images will be automatically generated, imageRef='docker.io/karmada/{imageName}:latest'"
+    echo "    hack/scan-image-vuln.sh"
+    echo "    # scan Karmada component images with trivy and images generation will be skipped, imageRef='docker.io/karmada/{imageName}:latest'"
+    echo "    hack/scan-image-vuln.sh -s"
+    echo "    # scan Karmada component images with trivy and provide specific image's registry or version"
+    echo "    hack/scan-image-vuln.sh -r foo # imageRef='foo/{imageName}:latest'"
+    echo "    hack/scan-image-vuln.sh -s -v v1.8.0 # imageRef='docker.io/karmada/{imageName}:v1.8.0'"
+    echo "Args:"
+    echo "    i imageRef: starts a images scanning with specific image provided, if not provided, local Karmada images will be scanned"
+    echo "    r registry: registry of images"
+    echo "    v version: version of images"
+    echo "    s skip-image-generation: whether to skip image generation"
+    echo "    h: print help information"
+}
+
+while getopts 'h:si:r:v:f:' OPT; do
+    case $OPT in
+        h)
+          usage
+          exit 0
+          ;;
+        s)
+        	SKIP_IMAGE_GENERAION="true";;
+        i)
+        	IMAGEREF=${OPTARG};;
+       	r)
+       		REGISTRY=${OPTARG};;
+        v)
+        	VERSION=${OPTARG};;
+        f)
+        	FORMAT=${OPTARG};;
+        ?)
+          usage
+          exit 1
+          ;;
+    esac
+done
+
+FORMAT=${FORMAT:-"docker.io/karmada"}
+SKIP_IMAGE_GENERAION=${SKIP_IMAGE_GENERAION:-"false"}
+IMAGEREF=${IMAGEREF:-""}
+
+source "hack/util.sh"
+
+echo -n "Preparing: 'trivy' existence check - "
+if util::cmd_exist trivy ; then
+	echo "pass"
+else
+	echo "start installing trivy"
+	curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.48.1
+fi
+
+if [ ${IMAGEREF} ];then
+	echo "---------------------------- the image scanning result of Image <<${IMAGEREF}>> ----------------------------"
+  trivy image --format ${FORMAT} --ignore-unfixed --vuln-type os,library --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL -q ${IMAGEREF}
+  exit 0
+fi
+
+REPO_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
+cd "${REPO_ROOT}"
+export VERSION=${VERSION:-"latest"}
+export REGISTRY=${REGISTRY:-"docker.io/karmada"}
+IMAGE_ARRAR=(
+	karmada-controller-manager
+  karmada-scheduler
+  karmada-descheduler
+  karmada-webhook
+  karmada-agent
+  karmada-scheduler-estimator
+  karmada-interpreter-webhook-example
+  karmada-aggregated-apiserver
+  karmada-search
+  karmada-operator
+  karmada-metrics-adapter
+)
+if [ ${SKIP_IMAGE_GENERAION} == "false" ]; then
+	echo "start generating image"
+	make images GOOS="linux" --directory=.
+fi
+
+echo "start image scan"
+for image in ${IMAGE_ARRAR[@]}
+do
+  imageRef="$REGISTRY/$image:$VERSION"
+  echo "---------------------------- the image scanning result of Image <<$imageRef>> ----------------------------"
+  trivy image --format ${FORMAT} --ignore-unfixed --vuln-type os,library --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL -q $imageRef
+done

vendor/modules.txt

@@ -587,7 +587,7 @@ go.uber.org/zap/internal/exit
 go.uber.org/zap/internal/pool
 go.uber.org/zap/zapcore
 go.uber.org/zap/zapgrpc
-# golang.org/x/crypto v0.16.0
+# golang.org/x/crypto v0.17.0
 ## explicit; go 1.18
 golang.org/x/crypto/cryptobyte
 golang.org/x/crypto/cryptobyte/asn1